Account Security vs. Application and Service Security
An AWS account is going to draw unwanted attention due to the amount of raw data you will be working with. Furthermore, it is all fairly accessible through the native application programming interface (API). AWS does provide a multitude of native tools to help you configure permissions for your users and keeps an active log for all actions taken for review, monitoring, and auditing purposes.
Applications and Services hosted in AWS can still be directly threatened by a variety of different attacks. Cross-site scripting (referred to as XSS) and general brute-force attacks are aimed at user endpoints while DDoS (distributed denial-of-service) attacks will attempt to overwhelm your environment through a massive wave of simulated interactions with your applications. Even if such attacks do not have the endgame of stealing your information, there are other ways they can harm your operations.
AWS security tools are designed with interoperability in mind to seamlessly integrate with other cloud platforms and on-premises systems. This is achieved through various mechanisms such as APIs, SDKs, and management consoles that allow AWS security services to communicate with external systems. For example, AWS Security Hub can aggregate security alerts and findings from different sources, including third-party security solutions, providing a centralized view of security across both AWS and non-AWS environments. Services like AWS Identity and Access Management (IAM) support federation with external identity providers, enabling unified access control for cloud and on-premises resources.
Both fronts are equally important and minimizing the risk to you and your customers’ data is a constantly changing fight.
AWS Account Security Toolkits
1. Amazon IAM (Identity Access Management)
IAM serves as the linchpin for creating roles, fine-tuning permissions, and troubleshooting access configurations. It comes equipped with essential security features like multi-factor authentication and single sign-on, pivotal for enhancing user authentication processes. Notably, IAM adheres to the principle of least privilege, advocating for granting users only the necessary permissions to fulfill their duties, thereby diminishing the impact of potential security breaches.
2. Amazon Guard Duty
Navigating the potential costs of implementing top security tools in an AWS environment requires a keen understanding of how expenses can fluctuate based on usage and scale. Guard Duty diligently logs all activities within your application, employing pattern recognition to detect any suspicious behaviors like privilege escalation, exposed credentials, or communication with malicious entities. Moreover, Guard Duty can swiftly identify compromised instances, ensuring your system remains secure. Importantly, it is crucial to note that costs will escalate in correlation with the amount of data processed.
3. Amazon Macie
Macie proactively searches for vulnerabilities in your AWS S3 buckets. It is designed to sift through your bucket for sensitive data such as personal information and alert the user to what data might be unencrypted, what data is accessible to external factors, and what data has been accessed by other organizations. Do keep in mind costs will increase based on the number of S3 buckets being monitored.
4. AWS Config
The Config continuously evaluates how your AWS resources are configured, including historically. This is mostly meant to help you continuously meet legal and policy standards set out by your organization. Should the situation require it, Config can also execute remediation actions such as encrypting the volume or deleting it. Configuration is per region, so it’s essential to enable AWS Config in all regions to ensure all resources are recorded.
5. AWS CloudTrail
CloudTrail is enabled by default in all AWS accounts since August 2017 and is especially useful if your organization wants to use multiple accounts. It tracks all activity in your AWS environments such as command executions on the AWS console and all API calls. You can view and search these events to identify unexpected or unusual requests in your AWS environment. It even comes with an add-on called CloudTrail Insights for providing further insight into discovered suspicious activity.
6. AWS Security Hub
This is where all the information from the aforementioned services is combined and laid out for the user to easily comprehend and decide on future actions. Some information is gathered on the side from third parties to give your team a much more complete picture of your AWS environment. Security Hub meets some key security industry standards such as the CIS AWS Foundations Benchmark and Payment Card Industry Data Security Standard (PCI DSS).
AWS Application Security Toolkits
7. Amazon Inspector
Inspector is a security assessment service for applications deployed on EC2. It is designed to evaluate network access, common vulnerabilities and exposures (CVEs), Center for Internet Security (CIS) benchmarks, and provide common best practices such as disabling root login for SSH and validating system directory permissions on your EC2 instances. It’s best to run Inspector as part of a gated check in your deployment pipeline to assess your applications’ security before deploying to production.
8. Amazon Shield
Shield is your first line of defense against DDoS attacks and is enabled for all AWS environments by default. It continues to work across all endpoints on every account under your organization. As an added bonus, it works in conjunction with AWS Web Application Firewall to further reinforce against malicious traffic inbound to your websites and applications.
9. AWS Web Application Firewall
Web Application Firewall (WAF) is a manually adjustable monitor that protects applications and APIs built on services such as CloudFront, API Gateway, and AppSync. Access to endpoints can be adjusted by a variety of criteria such as the source IP address, the request’s origin country, values in headers and bodies, and other criteria. The AWS Marketplace also includes a set of managed rules you can associate with your WAF, along with 3rd party managed rules from leading security vendors.
10. AWS Secrets Manager
AWS Secrets Manager provides a more advanced approach to key rotation and permissions compared to Parameter Store. It offers native and automatic rotation of keys to ensure better security and compliance. Additionally, AWS Secrets Manager provides fine-grained permissions, allowing for more precise control over who can access and manage secrets. Furthermore, it includes central auditing capabilities for secret rotation, which enables easier tracking and monitoring of changes made to secrets. These features set AWS Secrets Manager apart from Parameter Store in terms of key rotation and permissions.
